Donate for the Cryptome archive of files from June 1996 to the present

12 November 2013

Julian Assange and MOONLIGHT MAZE

Underground: Hacking, madness and obsession on the electronic frontier

By Suelette Dreyfus with
Research by Julian Assange

[Excerpt. Mendax is the pseudonym of Julian Assange.]

He did, however, talk to Powerspike on the phone once in a while. The older hacker's highly irreverent attitude and Porky Pig laugh appealed to him. But other than those brief talks, Prime Suspect avoided talking on the phone to people outside the International Subversives, especially when he and Mendax moved into ever more sensitive military computers.

Using a program called Sycophant written by Mendax, the IS hackers had been conducting massive attacks on the US military. They divided up Sycophant on eight attack machines, often choosing university systems at places like the Australian National University or the University of Texas. They pointed the eight machines at the targets and fired. Within six hours, the eight machines had assaulted thousands of computers. The hackers sometimes reaped 100000 accounts each night.

Using Sycophant, they essentially forced a cluster of Unix machines in a computer network to attack the entire Internet en masse.

And that was just the start of what they were into. They had been in so many sites they often couldn't remember if they had actually hacked a particular computer. The places they could recall read like a Who's Who of the American military-industrial complex. The US Airforce 7th Command Group Headquarters in the Pentagon. Stanford Research Institute in California. Naval Surface Warfare Center in Virginia. Lockheed Martin's Tactical Aircraft Systems Air Force Plant in Texas. Unisys Corporation in Blue Bell, Pennsylvania. Goddard Space Flight Center, NASA. Motorola Inc. in Illinois. TRW Inc. in Redondo Beach, California. Alcoa in Pittsburgh. Panasonic Corp in New Jersey. US Naval Undersea Warfare Engineering Station. Siemens-Nixdorf Information Systems in Massachusetts. Securities Industry Automation Corp in New York. Lawrence Livermore National Laboratory in California. Bell Communications Research, New Jersey. Xerox Palo Alto Research Center, California.

As the IS hackers reached a level of sophistication beyond anything The Realm had achieved, they realised that progress carried considerable risk and began to withdraw completely from the broader Australian hacking community. Soon they had drawn a tight circle around themselves. They talked only to each other.

Watching the Realm hackers go down hadn't deterred the next generation of hackers. It had only driven them further underground.

In the spring of 1991, Prime Suspect and Mendax began a race to get root on the US Department of Defense's Network Information Center (NIC) computer--potentially the most important computer on the Internet.

As both hackers chatted amiably on-line one night, on a Melbourne University computer, Prime Suspect worked quietly in another screen to penetrate, a US Department of Defense system closely linked to NIC. He believed the sister system and NIC might `trust' each other--a trust he could exploit to get into NIC. And NIC did everything.

NIC assigned domain names--the `.com' or `.net' at the end of an email address--for the entire Internet. NIC also controlled the US military's own internal defence data network, known as MILNET.

NIC also published the communication protocol standards for all of the Internet. Called RFCs (Request for Comments), these technical specifications allowed one computer on the Internet to talk to another. The Defense Data Network Security Bulletins, the US Department of Defense's equivalent of CERT advisories, came from the NIC machine.

Perhaps most importantly, NIC controlled the reverse look-up service on the Internet. Whenever someone connects to another site across the Internet, he or she typically types in the site name--say, at the University of Melbourne. The computer then translates the alphabetical name into a numerical address--the IP address--in this case All the computers on the Internet need this IP address to relay the packets of data onto the final destination computer. NIC decided how Internet computers would translate the alphabetical name into an IP address, and vice versa.

If you controlled NIC, you had phenomenal power on the Internet. You could, for example, simply make Australia disappear. Or you could turn it into Brazil. By pointing all Internet addresses ending in `.au'--the designation for sites in Australia--to Brazil, you could cut Australia's part of the Internet off from the rest of the world and send all Australian Internet traffic to Brazil. In fact, by changing the delegation of all the domain names, you could virtually stop the flow of information between all the countries on the Internet.

The only way someone could circumvent this power was by typing in the full numerical IP address instead of a proper alphabetical address. But few people knew the up-to-twelve-digit IP equivalent of their alphabetical addresses, and fewer still actually used them.

Controlling NIC offered other benefits as well. Control NIC, and you owned a virtual pass-key into any computer on the Internet which `trusted' another. And most machines trust at least one other system.

Whenever one computer connects to another across the Net, both machines go through a special meet-and-greet process. The receiving computer looks over the first machine and asks itself a few questions. What's the name of the incoming machine? Is that name allowed to connect to me? In what ways am I programmed to `trust' that machine--to wave my normal security for connections from that system?

The receiving computer answers these questions based in large part on information provided by NIC. All of which means that, by controlling NIC, you could make any computer on the Net `pose' as a machine trusted by a computer you might want to hack. Security often depended on a computer's name, and NIC effectively controlled that name.

When Prime Suspect managed to get inside NIC's sister system, he told Mendax and gave him access to the computer. Each hacker then began his own attack on NIC. When Mendax finally got root on NIC, the power was intoxicating. Prime Suspect got root at the same time but using a different method. They were both in.

Inside NIC, Mendax began by inserting a backdoor--a method of getting back into the computer at a later date in case an admin repaired the security flaws the hackers had used to get into the machine. From now on, if he telnetted into the system's Data Defense Network (DDN) information server and typed `login 0' he would have instant, invisible root access to NIC.

That step completed, he looked around for interesting things to read. One file held what appeared to be a list of satellite and microwave dish coordinates--longitude, latitudes, transponder frequencies. Such coordinates might in theory allow someone to build a complete map of communications devices which were used to move the DOD's computer data around the world.

Mendax also penetrated MILNET's Security Coordination Center, which collected reports on every possible security incident on a MILNET computer. Those computers--largely TOPS-20s made by DEC--contained good automatic security programs. Any number of out-of-the-ordinary events would trigger an automatic security report. Someone logging into a machine for too long. A large number of failed login attempts, suggesting password guessing. Two people logging into the same account at the same time. Alarm bells would go off and the local computer would immediately send a security violation report to the MILNET security centre, where it would be added to the `hot list'.

Mendax flipped through page after page of MILNET's security reports on his screen. Most looked like nothing--MILNET users accidentally stumbling over a security tripwire--but one notice from a US military site in Germany stood out. It was not computer generated. This was from a real human being. The system admin reported that someone had been repeatedly trying to break into his or her machine, and had eventually managed to get in. The admin was trying, without much luck, to trace back the intruder's connection to its point of origin. Oddly, it appeared to originate in another MILNET system.

Riffling through other files, Mendax found mail confirming that the attack had indeed come from inside MILNET. His eyes grew wide as he read on. US military hackers had broken into MILNET systems, using them for target practice, and no-one had bothered to tell the system admin at the target site.

Mendax couldn't believe it. The US military was hacking its own computers. This discovery led to another, more disturbing, thought. If the US military was hacking its own computers for practice, what was it doing to other countries' computers?

As he quietly backed out of the system, wiping away his footprints as he tip-toed away, Mendax thought about what he had seen. He was deeply disturbed that any hacker would work for the US military.

Date: 25 Oct 1998 04:48:22 -0000
From: Julian Assange <>
Subject: Travel Plans

I'm about to escape from the perils of a summer in ``the planet's most livable city'' (Melbourne, Australia) and go treking about the worlderful world of snow, ice, slush, and imploding communism.

I'll be hop-scotching though the US, Western/Eastern europe, Russia, Mongolia and China (in that order). If anyone feels like getting together for beer, vodka, Siberian bear steak, or just a good yarn, please let me know.

What follows is a (very) approximate itinerary. Home-grown accommodation, a warm hearth, pulsating ethernet, interesting company (or a pointer to it) is capable of shifting dates and leagues. I am backpacking through eastern Europe and Siberia, so no hovel, couch or spare room is too small (even in the SF bay area), and would be highly thought of :)

28 Oct 98 San Francisco
05 Nov 98 London
06 Nov 98 Frankfurt/Berlin
09 Nov 98 Poland / Slovenia / eastern-europe-on-a-shoe-string
15 Nov 98 Helsinki
16 Nov 98 St. Petersburg
20 Nov 98 Moscow (trans-siberian express) ->
25 Nov 98 Irtutsk
29 Nov 98 Ulan Bator
03 Dec 98 Beijing


A Fierce Domain: Conflict in Cyberspace 1986 to 2012. Jason Healy, Editor. Cyber Conflict Studies Association. 2013.


Moonlight Maze

Adam Elkus

One of the enduring frustrations of cyber conflict lies in its tentativeness. Many of the basic events in its history are shrouded in mystery and heavily classified. A paucity of open-source information exists, much of it of limited reliability. Nowhere is this more evident than in the incident known as “MOONLIGHT MAZE.”

MOONLIGHT MAZE, a name given to a series of intrusions, is one of many “cyber security wake-up calls” that have highlighted the increasing role of state authorities in generating, sponsoring, or at least passively tolerating sophisticated and far-reaching espionage incidents. Russian involvement has been suspected, but never conclusively proven. Intruders probed computer systems at the Pentagon, the Department of Energy, private universities, and research labs searching for military maps, troop configurations, and military hardware designs.

In 1999, the Federal Bureau of Investigation made public that this espionage was ongoing, sending shockwaves throughout the cyber security community. Even though very little unclassified information is currently available about the incident, the ambiguous and disruptive effects of MOONLIGHT MAZE make it a signal case in cyber history.

MOONLIGHT MAZE shaped technical and organizational discourse within the US, and created the perception of a lethal, yet ephemeral and mysterious cyber threat. While earlier cyber espionage had occurred (such as Cuckoo’s Egg and RAHAB), these qualities make MOONLIGHT MAZE a useful marker for measuring the growth in widespread awareness of professionalized, state-sponsored threats in cyberspace. Its ambiguity also symbolizes an era of cyber conflict in which few easy answers can be found concerning the origin, dynamics, and/or goals of adversarial espionage threats. Additionally, the federal government’s organizational responses to the incident represented the growing understanding among security executives that defending cyberspace requires different tools, organizations, and concepts. In this, MOONLIGHT MAZE actually dove-tailed with a larger focus on adapting the government to fight transnational threats. This focus would take shape immediately before and after the 11 September 2001 terrorist attacks.

Establishing Context Before MOONLIGHT MAZE, many high-profile cyber incidents that targeted United States government networks were attributed to non-state actors. The 1994 attacks that targeted the United States Air Force’s Rome Labs were the work of two British youngsters—one of whom was motivated by his love of the X-Files. The 1998 SOLAR SUNRISE incident also was carried out by young hackers in California and Israel. Massive, sustained, and state-backed cyber operations were not widespread in the late 1990s. However, this situation was about to radically change.

This is not to say that all or even most pre-MOONLIGHT MAZE incidents were the work of the stereotypical teen-aged hacker. Rather, the point is that the massive state espionage which has characterized cyber incidents in most of the last few years, was not as omnipresent in either public or elite consciousness prior to the late 1990s.

In 2001, MOONLIGHT MAZE was considered to be the largest cyber attack on the United States to date. The era of TITAN RAIN and other larger cyber espionage cases, such as Stuxnet, was yet to come. It is also important to note cybersecurity’s interaction with larger trends in American national security during the late 1990s. Natural security policymakers were beginning to recognize that the seductive concepts of the Revolution in Military Affairs (RMA), America’s technological superiority in the Gulf War, and the Kosovo conflict disguised a growing threat from state and non-state adversaries determined to play by different rules.

American adversaries would not continue to invite the kind of security responses that played best to American strengths. Rather, they would look for cheap tools and target American weaknesses. Information technology, considered a strength in conventional warfare, became a source of weakness within the framework of cyberwarfare and cyber-espionage. Moreover, US policymakers clearly saw similar challenges to inter-agency boundaries and capabilities posed by both cyber opponents and more traditional forms of terrorism.

Presidential Decision Directive 63 (PDD 63) led to the creation of the National Incident Protection Center (NIPC), as an inter-agency body with the power to safeguard the nation’s civilian and governmental critical infrastructure from computer-based attack. SOLAR SUNRISE and other thorny cyber incidents prompted the creation of Joint Task Force-Computer Network Defense (JTF-CND), a body trusted with the centralized and coordinated defense of military networks.

These agencies were maturing just as MOONLIGHT MAZE became known to the United States government, and played crucial roles in resolving the incident. MOONLIGHT MAZE’s emphasis on Russian espionage also did not occur in a geopolitical vacuum. While geo-strategic competition between the United States and the Soviet Union ended in the early 1990s, Russian espionage has continued largely unabated.

The MOONLIGHT MAZE incident also occurred in a time of rising American awareness of a growing Russian investment in information warfare capabilities. As adversary cyber doctrine specialist Lieutenant Colonel (Ret.) Timothy Thomas noted, Russian military thinkers incorporated the idea of “system on system” military operations from the early 1990s onwards.

Russia, though geopolitically weakened, was energetic in projecting power into cyberspace. Its military doctrine in the period of the late Cold War recognized the importance of command, control, intelligence, and computers (C4I) but lacked the material means to realize this “military-technical revolution.” However, cyber-espionage and cyberwarfare capabilities were well within even a greatly weakened Moscow’s reach. MOONLIGHT MAZE must be understood within this unique context.

However, some caution should be exercised in pointing toward Russia as the perpetrators of MOONLIGHT MAZE. The evidence of Russian involvement is still circumstantial in the unclassified records. The Russians vigorously denied participation in MOONLIGHT MAZE. This too can be viewed within a larger context. Russia has often been suspected of direct involvement and/or indirect involvement in cyber conflict, but direct proof of Russian involvement has always been frustratingly difficult to assemble.

Sorting out official Russian government activity from that of patriotic hackers or the large organized crime sector is also difficult, as all three sectors are both porous and extremely murky. Lastly, the open-source record does not indicate that there was a strategic or even a tactical warning of the MOONLIGHT MAZE crisis.

Network defenders, the Department of Defense, and the FBI struggled to understand the nature of the attack, who carried it out, and why. The fact that these questions are still largely publicly unanswered suggests problems regarding not only cyber early warning efforts but also post-incident damage assessments. Entering the Maze In March 1998, the DoD detected what was then dubbed the most “persistent and serious” computer attack against the United States to date. While no classified networks were targeted, the Non-Classified Internet Protocol Router Network (NIPRNET) was penetrated.

Network security specialists at the Defense Information Systems Agency discovered that attackers had entered NIPRNET and other unclassified systems by “tunneling” malicious codes within programs for routine computer operations. This made it more difficult for systems administrators to discover precisely what was occurring.

The intruders broke into computer networks belonging to the National Aeronautics and Space Agency (NASA), the Department research agencies and private laboratories. The attackers were after military-technical information on DoD systems.

The FBI led the investigation, which was coordinated through the National Infrastructure Protection Center (NIPC), while the newly created Joint Task Force-Computer Network Defense (JTF-CND) took the lead in coordinating a response. The incident was codenamed “MOONLIGHT MAZE.” It is important to understand that MOONLIGHT MAZE was not a one-off incident, but an extended campaign that occurred for at least three years, conducted by multiple actors against defense systems. A Government Accountability Office (GAO) report characterizes MOONLIGHT MAZE as a “stealth” campaign of recurring hacks.

It was MOONLIGHT MAZE’s massive scale and duration that differentiated the attacks from other cyber incidents during the 1990s. The intruders lifted thousands of files containing information on technical research, contracts, encryption techniques, and unclassified specifications of DoD war-planning systems. In turn, the attack triggered one of the largest and most secretive cybersecurity investigations in the DoD’s history.

Other notable aspects of MOONLIGHT MAZE were its exploitation of the scientific community’s access to the DoD and the attackers’ operational sophistication. In an interview with PBS Frontline in 2003, former Deputy Security of Defense and later Center for Strategic and International Studies President John Hamre noted that the attacks exploited the prevailing norm of openness in the scientific community.

The intrusions were not conducted through the Internet, but instead exploited the Department of Defense’s dependence on a scientific-industrial backbone. Hamre emphasized that the perpetrators did not hack from laptops, but rather employed sophisticated hardware with formidable computing power. He also judged that they possessed excellent operational skills, iteratively adjusting their techniques in response to countermeasures. Hamre noted that the broadly DoD-related research community allowed researchers access to large farms of supercomputers. This vulnerability, Hamre argued, could also potentially be exploited again:

Evidence of the sophistication of the attackers can also be found in their use of what was dubbed a “distributed coordination approach” to information extraction. The attackers used thousands of servers to overwhelm a single server. Because many servers are used, each attack can be disguised as a legitimate connection attempt. This makes it difficult for the victim’s software to know that it is under assault, and also helps camouflage the identity of the attackers.

As will be noted later, DoD audiences also judged that distributed coordination approaches posed a threat to the supposed “perimeter defense” model that dominated DoD information assurance. Efforts to target the adversaries to disable their operations were considered but were dogged by fears that such self-defense measures might constitute an act of war, if the attackers were state-sponsored. Lack of understanding of the nature of the adversary thus hamstrung what might be considered today an “active” defense against intrusion.

However, this did not mean that the DoD did not take steps to secure its networks. The Pentagon also decided that it would reroute its communications through eight large electronic gateways in order to better facilitate monitoring of activities and to cut down the attackers’ opportunities. Passwords also underwent encryption, and a DoD-wide password change was forced by the JTF-CND. The Pentagon responded by investing $200 million to purchase new encryption technology, firewalls, and intrusion detection technologies.

Unfortunately, the response to MOONLIGHT MAZE was also hindered by the fact that the NIPC itself was still unsteady during the time of the intrusions. By October 1999, senior agents were being transferred out of the NIPC to investigate Chinese espionage cases. Congress rejected efforts by the NIPC to expand its stable of agents. All of this occurred as the FBI’s load of computer crime cases expanded from 200 in 1997 to 800 in 1999, while the FBI struggled to meet its target of 243 agents pursuing digital crime and espionage cases full time. NIPC Director Michael Vatis said:

Our bench is thin, very thin… We have put together a good starting lineup. But if we had several major incidents at the same time, we would be severely stretched, to put it mildly.

On 7 October 1999, NIPC director Michael Vatis went public. Though earlier news reports had announced a large cyber campaign against the Pentagon, Vatis’ interview and those given by other government officials were the most significant early disclosures. Vatis not only broke the news of a large cyber-espionage campaign, but also explicitly suggested a Russian origin. However, Vatis refused to comment further. Assistant Secretary of Defense for Command, Control, and Communications Arthur Money declared that the scale of the incident was “alarming” and observed that NIPRNET had been compromised. The intensity of the attacks declined after the public announcement, compared to the spring and summer of 1999.

An undisclosed government source noted that the attack had been traced to Internet servers located 20 miles from Moscow. The source also noted that the pattern of the intrusions suggested that the attackers had a regular office-like schedule. The attacks occurred regularly from 8 am to 5 pm and never on Russian holidays. A senior Energy Department official also suggested that it could be a “sponsored” intelligence activity, pointing to the “organized” nature of the activity. Dion Stemfley, an analyst working for the Defense Information Systems Agency (DISA), suggested that the attacks, if not state-conducted, were “state-allowed.”

Other circumstantial evidence was offered to the media, which apparently suggested Russian involvement. This included the existence of an unusually high-speed connection, linking research facilities in Moscow to the United States. US government sources speculated that it hid a major offensive command and control network within ostensibly civilian research facilities. Photos of DoD facilities, network maps, and duty rosters were also alleged to be present on these networks.

At the time, outside experts began to voice skepticism about foreign state involvement in the hacking attacks. George Smith, editor of the Crypt Newsletter, speculated that the attackers were teenagers and accused the DoD of engaging in hysteria. Allan Thompson, a former Central Intelligence Agency analyst, argued that it did not make sense for the Russian intelligence service to “tip its hand” with a massive operation rather than patiently developing its capabilities. Finally, a Russian technology analyst voiced skepticism about the idea that a high-powered connection cable was necessary to steal photographs of DoD facilities or duty rosters.

Fred Cohen of Sandia National Labs argued that the attack, while innovative, also owed its success to the DoD’s own security deficiencies. The fact that the attacks were recurring, Cohen argued, had more to do with the continued inability of the Department of Defense to protect its networks. Sophisticated attackers, in other words, were not really the problem.

However, as is common in cyber conflicts, these commentators were not able to review the government’s evidence on the seriousness of the incident, nor why some government voices suggested Russia was responsible. In 2000, the United States government formally complained to Russia about the hacking and provided the telephone numbers from which the attacks supposedly originated. Russian authorities claimed that the numbers were non-operative and denied any prior knowledge of the attacks. Nonetheless, US officials did travel to Moscow in an effort to reach out to Russia to investigate the source of the espionage.

Russia has consistently denied involvement in the MOONLIGHT MAZE incident. In 2001, a Foreign Affairs article revealed that attackers were not only continuing to operate in the system, but had also left in place “backdoors”—code or instructions that easily enable hackers to sneak back into a previously compromised system to exfiltrate more data or inflict damage on a system at a later date. Three years of investigation had produced little information on the source of the attack.

In April 2003, PBS Frontline ran a special on MOONLIGHT MAZE and other cyber incidents. Here, it was revealed that network attackers had accessed tens of thousands of files on military maps, troop configurations, and military hardware designs. RAND Corporation analyst John Arquilla, also interviewed, cast doubt on the diagnosis of a Russian attacker, noting that the attacker could have easily bounced his traffic off Russian computers to confuse defenders.

However, this is a fairly standard rejoinder for most attacks, since it is technically possible, but the response ignores other lines of evidence. The FBI’s investigation ultimately came to center around whether or not the attacks were conducted by Russia’s Academy of Sciences. Government officials told Newsweek off-the-record that the Russian Academy of Sciences—an entity linked to the Russian military—was behind the attacks.

The attacks were ultimately traced back to a mainframe computer in Russia, but the real point of origin remains unknown.433 No further information has been forthcoming. Implications It is difficult to write of MOONLIGHT MAZE’s implications while so little is currently known about the incident. However, MOONLIGHT MAZE had a sizable impact on many aspects of cybersecurity and intelligence. As previously noted, it also remarkably originated many ongoing policy issues in cybersecurity. The United States is upset over what it views as aggressive and unrelenting Russian state-sponsored hacking. Russia continues to deny involvement, while highlighting the risk of what it views as an emerging information warfare arms race. MOONLIGHT MAZE also was a “wake-up call” that aggressive extraction from information resources by state, state-sponsored, or state-sympathetic organizations would be an enduring part of the cyber conflict landscape. It also significantly highlighted the continuing interest of Russia, like China, in American military technology. Michael Vatis said,

The greatest potential threat comes from foreign state actors who might choose to engage in information warfare against the United States, because they realize that they can’t take us on in conventional military terms and would seek to go after what they perceive as our Achilles heel…which is our reliance on information technology, more than any other country to control our critical operations.

Lessons Learned While a distinction is often rightfully made between cyber warfare and cyber espionage, MOONLIGHT MAZE demonstrated to a significant degree that the two feed into each other. Was MOONLIGHT MAZE simply another episode in a long history of spy games? Or did it signal preparation for a possibly imminent war? The attackers ostensibly targeted unclassified information, but also allegedly left trapdoors for further infiltration. Without access to the results of the investigation, it is difficult to tell what the ultimate aim of the action was. It very well may have been what Thomas called a “long-range cyber reconnaissance” to prepare the ground for more kinetic actions. But it may also have been an act of espionage. John Arquilla, one of the early thinkers on information warfare and cyber conflict, put it this way:

There’s an interesting problem here, in that some events, like the Moonlight Maze intrusions, were simply exploitative in nature—gaining access to information. But the means by which access was gained are observationally equivalent to the things that a hacker would do if he wanted to intrude and then engage in vast disruption. So we need to figure out how to deal with these problems that have to do with exploitation of systems, because that’s our first basis for defense against attacks designed to take these systems down.

Hence MOONLIGHT MAZE, while an espionage incident, was regarded very much as a hostile military act. Hamre, briefing Congress on the incident, declared that the DoD was in the middle of a “cyberwar.”

Similarly, militaristic language was consistently used in press accounts. Very few noted that the open-source literature seemed to support the thesis that it was in fact an act of espionage, not warfare or sabotage.

The investigation’s sheer scale and minuscule results also foreshadowed what would come to be a recurring theme in cyber-espionage investigations. Years of analysis were required to even roughly understand and attribute MOONLIGHT MAZE to Russian actors. These attackers may have had access to DoD networks for years without detection.

While iDefense cybersecurity consultant James Adams highlighted the need for a “deterrent strategy,” the US government still struggles with stopping cyber-espionage. If attribution is difficult, and the incidents do not inflict lethal damage, it can be difficult to effectively deter actors from aggressively compromising US networks.

The incident clearly brought the problem of attribution to the fore. The Russian Federation refused to accept responsibility for the incident, and the circumstantial evidence involved was not sufficient to permit the United States to impose any political sanctions upon Moscow. The uncertainty surrounding the incident persists today, as so little information is available on who was responsible for the incident. It is believed that the attack was at least connected with the Russian government, but uncertainties plague even this suspicion. Lack of attribution, in turn, leads to paralysis in active defense responses to the attack. If the DoD is not sure precisely who is attacking it, legal implications concerning responses cannot be easily calculated. Hamre’s comments that the attack exploited the open norms of the scientific community also highlighted a problem that continues today in cybersecurity policy. Hamre’s point is that attackers exploited an institution with different security norms than the hierarchal and closed world of the DoD. In order to enjoy the benefits of scientific-technical partnerships with research laboratories, however, the military cannot simply dissociate itself from the scientific community. Navigating the organizational and technical implications of continued engagement with communities that employ looser security practices remains a continuing cybersecurity problem.

Technical Innovations

The attack exposed some substantial weaknesses in DoD computer defenses. Those weaknesses were cause for substantial alarm. A 2001 Defense Science Board Task Force report noted that incidents such as MOONLIGHT MAZE constituted a “low and slow” attack that challenged the Department of Defense by exhibiting several characteristics. Low and slow attacks may go undetected for substantial amounts of time, especially if an insider is conducting or abetting the attack. The lack of any apparent outcome in a low and slow attack might blind investigators to the possibility of insertions of logic bombs, Trojan horses, and viruses that could be implemented at the time and place of the attacker’s choosing. Attributing motives for the attacks may also be difficult, if not impossible, due to such an undetected insertion not becoming apparent until months or even years after the initial compromise.

The Defense Science Board report similarly raised the issue of “defense-in-depth,” which would later become a hot topic among chief technology officers and cyber strategists. The Defense Science Board argued that MOONLIGHT MAZE and similar incidents could partially have occurred because of a prevailing “perimeter defense” mentality, meaning the defense is hard on the outside but soft on the inside. Unfortunately, once the intruders were inside the targeted systems, network defenders had little idea of what was happening within their own networks.

Many of these themes will be familiar to cyber policy analysts debating defense-in-depth based approaches, the concept of the “Maginot Line of Information Security,” and the idea that network defenders should assume a breach and act to mitigate it.

Organizational Innovations MOONLIGHT MAZE reaffirmed commonly accepted organizational lessons derived from the 1997 ELIGIBLE RECEIVER and the 1998 SOLAR SUNRISE incidents. The multi-dimensional nature of these assaults and the emphasis they put on quick response convinced many that the United States needed an operational organization capable of directing technical changes to DoD computers and networks for cyber defense. The Joint Task Force-Computer Network Defense (JTF-CND), assigned from 1998 to 2004 to a variety of DoD organizations under many different names, played a key role in the MOONLIGHT MAZE incident. Most notably, the JTF-CND issued the first military-wide order to change passwords during the episode.

Though the JTF-CND evolved concurrently with the MOONLIGHT MAZE investigation, the incident would only bolster what many viewed as the necessity for unity of command, with one commander being responsible to higher authority.

DoD policymakers also agreed that truly comprehensive incident reporting was needed, with assessors possessing the ability to accept data from both automated systems and qualitative products, such as manual incident reports based on personal observations and analyses. This would speed up and streamline incident response. The DoD’s chief organizational response was to institutionalize a four-tiered process of incident response. Military reporting would be handled at the local level through network operations and security centers (NOSCs) under the control of the Defense Information Systems Agency (DISA). The primary purpose of this line of reporting is to report problems. Assessments of the impact from a command control perspective are channeled through individual Service and regional Computer Emergency Response Teams (CERTs). Both kinds of incident reports in turn would be sent to what was then known as the JTF-Computer Network Operations (CNO) and the DISA Global Network Operations and Security Center (GNOSC).

MOONLIGHT MAZE also played an influential role in a government-wide, pre-9/11 effort to create a “counterintelligence czar,” who would coordinate inter-agency efforts against terrorists, spies, and cyber intrusions. In an interview with a National Journal reporter, Hamre recalled that a conversation about the MOONLIGHT MAZE incident with the FBI’s Deputy Director for National Security Robert Bryant in 1998 provided the impetus for a new counterintelligence initiative to respond to unconventional threats.

MOONLIGHT MAZE’s domestic targets and (alleged) foreign actors prompted this conversation about ways in which organizational stovepipes prevented security agencies from countering unconventional threats. The DoD, Hamre noted, cannot investigate inside US borders, and the law enforcement community lacked many tools that the DoD and the CIA possess for operating overseas. Hamre pushed for the Counterintelligence-21 initiative, a call for a national counterintelligence executive, empowered to issue a counterintelligence strategy. Hamre and others’ efforts eventually resulted in the founding of the Office of the National Counterintelligence Executive (ONCIX) in 2001.


It remains to be seen whether the public will ever find out what really happened in MOONLIGHT MAZE. Basic elements of the story remain hidden behind classification and a shroud of mystery. Unfortunately, future actions and responses in the cyber world are likely to be more like MOONLIGHT MAZE than not. Only by learning from the incident will we be better prepared for the murky, fast-paced, and organizationally complex cyber campaigns of the future. MOONLIGHT MAZE raised our common awareness of the state-backed attacker and led to far-reaching policy shifts.